CN108763936B - Relationship chain creating method and device, server, terminal and storage medium - Google Patents

Relationship chain creating method and device, server, terminal and storage medium Download PDF

Info

Publication number
CN108763936B
CN108763936B CN201810543956.4A CN201810543956A CN108763936B CN 108763936 B CN108763936 B CN 108763936B CN 201810543956 A CN201810543956 A CN 201810543956A CN 108763936 B CN108763936 B CN 108763936B
Authority
CN
China
Prior art keywords
file
common
target
target file
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810543956.4A
Other languages
Chinese (zh)
Other versions
CN108763936A (en
Inventor
彭宁
程虎
沈江波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810543956.4A priority Critical patent/CN108763936B/en
Publication of CN108763936A publication Critical patent/CN108763936A/en
Application granted granted Critical
Publication of CN108763936B publication Critical patent/CN108763936B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Document Processing Apparatus (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the invention discloses a method, a device, a server and a terminal for creating a relationship chain, wherein the method comprises the following steps: determining a target file in the terminal, wherein the target file is as follows: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file; determining a common terminal set according to the target file, wherein common terminals in the common terminal set all comprise the target file; performing file detection on the common terminals in the common terminal set to determine common files in the common terminals, wherein the common files have an association relationship with the target file; and creating a behavior relation chain about the target file according to the common file, wherein the behavior relation chain records the file node of the target file and the file node of the common file. The embodiment can better create the behavior relation chain of the virus.

Description

Relationship chain creating method and device, server, terminal and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for creating a relationship chain, a server, a terminal, and a storage medium.
Background
A Computer Virus (Computer Virus) is a set of Computer instructions or program code that a compiler inserts into a Computer program to destroy the Computer's functions or data, to affect the use of the Computer, and to replicate itself. Once a certain file in a computer contains computer viruses, the computer viruses infected by the file can spread along with the copying or spreading of the file.
At present, in order to ensure that file resources in a computer are not destroyed, antivirus software is usually selected to perform virus killing or protection on files in the computer. However, in the virus searching and killing process, the virus can be confronted with antivirus software, important behaviors are hidden, and the behavior relation chain of the virus collected by the antivirus software is possibly incomplete, so that the virus is difficult to eradicate. Therefore, how to better create the behavior relationship chain of the virus becomes a hot research.
Disclosure of Invention
The embodiment of the invention provides a method and a device for creating a relationship chain, a server, a terminal and a storage medium, which can better create a behavior relationship chain of a virus.
In one aspect, an embodiment of the present invention provides a method for creating a relationship chain, where the method includes:
determining a target file in the terminal, wherein the target file is as follows: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file;
determining a common terminal set according to the target file, wherein common terminals in the common terminal set all comprise the target file;
performing file detection on the common terminals in the common terminal set to determine common files in the common terminals, wherein the common files have an association relationship with the target file;
and creating a behavior relation chain about the target file according to the common file, wherein the behavior relation chain records the file node of the target file and the file node of the common file.
On the other hand, an embodiment of the present invention provides another method for creating a relationship chain, including:
performing behavior relation chain detection according to suspicious files in the terminal;
if a target file without an associated file is detected, sending a query request carrying the target file identifier to a server;
receiving a common file identifier of a common file fed back by the server, wherein the common file is a file which is determined by the server and has an association relation with the target file in a common terminal, the common terminal is determined by the server according to the target file identifier, and the common terminal comprises the target file;
and creating a behavior relation chain about the target file according to the common file identification.
In another aspect, an embodiment of the present invention provides a relationship chain creating apparatus, including:
a determining unit, configured to determine an object file in a terminal, where the object file is: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file;
the determining unit is further configured to determine a common terminal set according to the target file, where common terminals in the common terminal set all include the target file;
the detection unit is used for carrying out file detection on the common terminals in the common terminal set and determining common files in the common terminals, wherein the common files have association relation with the target files;
and the creating unit is used for creating a behavior relation chain related to the target file according to the common file, and the file node of the target file and the file node of the common file are recorded on the behavior relation chain.
In another aspect, an embodiment of the present invention provides another relationship chain creation apparatus, including:
the detection unit is used for detecting the behavior relation chain according to the suspicious file in the terminal;
the sending unit is used for sending a query request carrying the target file identifier to a server if a target file without an associated file is detected;
a receiving unit, configured to receive a common file identifier of a common file fed back by the server, where the common file is a file that has an association relationship with the target file in a common terminal determined by the server, the common terminal is determined by the server according to the target file, and the common terminal includes the target file;
and the creating unit is used for creating a behavior relation chain about the target file according to the common file identification.
In another aspect, an embodiment of the present invention provides a server, including: a processor, a transceiver, and a memory, the processor, the transceiver, and the memory being interconnected, wherein the memory is configured to store a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the steps of:
determining a target file in the terminal, wherein the target file is as follows: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file;
determining a common terminal set according to the target file, wherein common terminals in the common terminal set all comprise the target file;
performing file detection on the common terminals in the common terminal set to determine common files in the common terminals, wherein the common files have an association relationship with the target file;
and creating a behavior relation chain about the target file according to the common file, wherein the behavior relation chain records the file node of the target file and the file node of the common file.
In another aspect, an embodiment of the present invention provides an intelligent terminal, including a processor, an input device, an output device, and a memory, where the processor, the input device, the output device, and the memory are connected to each other, where the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to perform the following steps:
performing behavior relation chain detection according to suspicious files in the terminal;
if a target file without an associated file is detected, sending a query request carrying the target file identifier to a server;
receiving a common file identifier of a common file fed back by the server, wherein the common file is a file which is determined by the server and has an association relation with the target file in a common terminal, the common terminal is determined by the server according to the target file identifier, and the common terminal comprises the target file;
and creating a behavior relation chain about the target file according to the common file identification.
In yet another aspect, an embodiment of the present invention provides a computer storage medium, where the computer storage medium stores first computer program instructions, and the first computer program instructions are used to implement the relationship chain creation method in the above aspect when executed.
In yet another aspect, an embodiment of the present invention provides a computer storage medium storing second computer program instructions for implementing the relationship chain creation method in the above another aspect when the second computer program instructions are executed.
The embodiment of the invention can perform correlation calculation on the files in the common terminal according to the target file to find out the common file, and can create a complete behavior relation chain of the files such as virus trojans and the like to a certain extent based on the common file, thereby improving the protection capability of the files and ensuring that the protection of the files is more complete and accurate.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a diagram of an application scenario of a user interface provided in an embodiment of the present invention;
FIG. 2 is a schematic diagram of an interactive system provided by an embodiment of the invention;
fig. 3 is a flowchart illustrating a method for creating a relationship chain according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating another relationship chain creation method according to an embodiment of the present invention;
FIG. 5a is a schematic diagram of a chain of detected relationships according to an embodiment of the present invention;
FIG. 5b is a schematic diagram of a relationship chain created according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating a method for creating a relationship chain according to another embodiment of the present invention;
fig. 7 is a flowchart illustrating a method for creating a relationship chain according to another embodiment of the present invention;
FIG. 8a is a schematic diagram of a chain of detected relationships according to another embodiment of the present invention;
FIG. 8b is a schematic diagram of a relationship chain created according to another embodiment of the present invention;
fig. 9 is a schematic structural diagram of a relationship chain creation apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a relationship chain creation apparatus according to another embodiment of the present invention;
fig. 11 is a schematic structural diagram of a server according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of an intelligent terminal according to another embodiment of the present invention.
Detailed Description
In the embodiment of the invention, the terminal can provide a user interface and provide a virus killing/protection processing button in the user interface. As shown in fig. 1, the user can instruct the terminal to perform virus killing/protection processing by clicking the button. When the terminal detects that the user clicks the click command of the button, file detection can be performed on the file in the terminal, and if a suspicious file is found, the suspicious file is used as an initial file for behavior relation chain detection, so that behavior relation chain detection is performed. In one embodiment, the suspicious file herein may refer to a file detected by the terminal and having specified file behavior data, where the specified file behavior data is used to record a specified behavior of the suspicious file, and the specified behavior may be: the act of encrypting other files, the act of corrupting other files, and so forth. For example, if one file encrypts other files in the terminal, the one file may be considered as a suspicious file; for another example, if one file destroys other files in the terminal, the file can be considered as a suspicious file; for another example, if a file is run, which causes a terminal to crash or restart suddenly, the file may be considered as a suspicious file, and so on. In yet another embodiment, the suspicious file may further refer to a file detected by the terminal and having a specified file identifier, where the specified file identifier may be a specified file suffix name, for example, the file suffix name is the same as the suffix name of the virus; or specifying file code, for example, part of the code of the file is the same as the code in the virus database; but also a specified file name, e.g. a file name not in the terminal white list, etc.
In the process of detecting the behavior relation chain, if the terminal detects a target file without an associated file, the terminal may send a query request carrying an identifier of the target file to the server, as shown in fig. 2, where the associated file may be a parent file of the target file, and the parent file is a file for creating the target file; the associated file may also refer to a subfile of the target file, which refers to the file created by the target file. After the server obtains the query request, the server can determine the target files of the terminals, and take a batch of terminals including the target files as common terminals. The method comprises the steps of obtaining a common file which has an association relation with a target file in a common terminal, creating a behavior relation chain of the target file according to the common file, and feeding back the behavior relation chain to the terminal. After receiving the behavior relation chain, the terminal may perform virus killing/protection processing on the file corresponding to the file node recorded on the behavior relation chain. In the embodiment of the invention, even if the virus Trojan is hidden in one terminal, so that the virus Trojan cannot be found in the terminal, the complete behavior of files such as the virus Trojan and the like in the terminal can be determined to a certain extent by performing correlation calculation on the files in a plurality of common terminals, so that a source file for spreading the virus Trojan is found, and virus searching/protecting treatment is performed on the source file and some related files. The virus can be searched and killed/protected from the source, and the virus Trojan horse can be prevented from being continuously transmitted and damaging other files, so that the virus Trojan horse searching and killing efficiency and the protection capability are improved.
In one embodiment, the terminal may also upload the suspicious file to the server after detecting the suspicious file. After collecting the suspicious files uploaded by the terminal, the server may perform operations of clustering common terminal files and creating a behavior relationship chain as shown in fig. 3 to obtain a complete behavior relationship chain. In particular, the server may create a chain of behavioral relationships according to the method flow shown in FIG. 4. The server may backtrack the chain of behavioral relationships in S401 to determine the source of the suspect file. In the process of tracing back the behavior relationship chain, the server may determine whether a chain break occurs through S402, where the chain break indicates that the server cannot continue to find the parent file. For example, as shown in fig. 5a, the server may find the parent file of suspicious file D (suspicious file C) and the parent file of suspicious file C (suspicious file B), but may not continue to find the parent file of suspicious file B, which is considered to be a broken link situation.
If the link is broken, the file corresponding to the parent file cannot be found as the link-broken file, for example, the suspicious file B in fig. 5a is taken as the link-broken file, and the common terminal with the link-broken file is obtained in S403. Then, in S404, the files in the common terminal are clustered, that is, the files in the common terminal are obtained, the files are classified according to the files, the files in the same category are classified into one category, whether the files have common characters or not is judged, and the files having common characters are used as common files. In one embodiment, there may be many ways to determine whether the files have commonality, and in one embodiment, if the files all include the same process subfile, the files may be considered to have commonality; and/or if the files all include documents of the same name, the files may be considered to have commonality; and/or if the files all access the same network, the files may be considered to have commonalities, and so on. After the cluster calculation is completed, the server may detect whether a common file is found in S405. If the common file is found, a behavior relation chain is created in S406 according to the common file. For example, the server finds the common file a and the creation time of the common file a is before the creation time of the suspicious file B, so a chain of behavioral relationships as shown in fig. 5B can be created. It should be noted that fig. 5a and fig. 5B are only examples, and each file therein may be a folder, or may be a document, or may be an executable program file, for example, suspicious file B and suspicious file C are program files, and suspicious file D is a folder.
In still another embodiment, based on the embodiments of the relationship chain creation method shown in fig. 3 and fig. 4, an embodiment of the present invention further provides a relationship chain creation apparatus. The relationship chain creation means may mainly comprise two modules: the system comprises a clustering common terminal file module and a creating behavior relation chain module. The cluster common terminal file module can be used for executing operations of acquiring common terminals with broken link files, clustering and calculating files in the common terminals, searching common files and the like. The create behavior relationship chain module may be configured to perform an operation of creating a behavior relationship chain based on the commonality file.
In one embodiment, an embodiment of the present invention proposes a relationship chain creation method in fig. 6. In one embodiment, the relationship chain creation method may be performed by a terminal, which may be a portable device such as a smart phone, a laptop or tablet computer, a desktop computer, and the like.
The terminal can determine a target file in the terminal, wherein the target file is as follows: and the terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file. The server can store files of a large number of terminals, so that the terminals can acquire the files of the large number of terminals from the server and determine a common terminal set from the large number of terminals according to the target files, wherein the common terminals in the common terminal set all include the target files. And performing file detection on the common terminals in the common terminal set based on a large number of terminal files acquired from the server, and determining a common file in the common terminal, which has an association relation with the target file. The terminal can create a behavior relation chain about the target file according to the common file.
In yet another embodiment, the relationship chain creation method may be performed by a server, which may be a service device for performing relationship chain creation, which may be a data processing server, a web server, or the like. In S601, the server may determine an object file in the terminal, where the object file refers to a terminal file for which an associated file cannot be detected in the process of detecting the behavioral relationship chain of the object file. In one embodiment, the associated file may refer to a parent file, and correspondingly, the target file refers to a terminal file that cannot detect the parent file in the behavioral relationship chain detection process, that is, the target file may be the above-mentioned broken link file, such as the suspicious file B in fig. 5 a. In another embodiment, the associated file may refer to a subfile, and correspondingly, the target file refers to a terminal file in which the subfile cannot be detected in the behavioral relationship chain detection process, such as the suspicious file D in fig. 5 a.
In an embodiment, the specific implementation of the server determining the target file in the terminal may be: the target file uploaded by the terminal can be received, and the target file can be determined by the terminal through relation chain detection based on the suspicious file after the suspicious file is detected. In another embodiment, the specific implementation manner of the server determining the target file in the terminal may further be: determining a suspicious file in a terminal, and taking the suspicious file as an initial file for behavior relation chain detection, wherein the suspicious file is a file which is detected in the terminal and has designated file behavior data and/or designated file identification; and performing behavior relation chain detection on the initial file to determine a target file. Specifically, the server may obtain each file uploaded by the terminal, perform file detection on the obtained files, and use the detected file having the specified file behavior data and/or the specified file identifier as a suspicious file. In an embodiment, when the server detects a file, the server may match the code of the file with the code in the trojan virus database in a feature code matching manner, and if the matching degree exceeds a preset threshold, the file may be considered as a suspicious file. In another embodiment, the server may also adopt a white list matching mode when performing file detection. The server may pre-establish a white list about file identifiers, and add the safe and virus-free file identifiers to the white list. When the server detects a file, the detected file identifier may be matched with a file identifier in a white list, and if the detected file identifier is not in the white list, the file may be considered as a suspicious file. In another embodiment, the server may also adopt a behavior data matching mode when performing file detection. The server can obtain the file behavior data of the file, where the file behavior data is used to represent the operation behavior of the file, such as the behavior of accessing a certain network, the behavior of downloading a certain file, and so on. If the file behavior data of the file is the same as the behavior data of the specified virus Trojan horse, the file can be considered as a suspicious file.
After determining the target file in the terminal, the server may determine a common terminal set according to the target file in S602, where the common terminals in the common terminal set all include the target file. Specifically, the server may collect files in a large number of terminals connected to the server, and if a target file is detected in the files in the large number of terminals, the terminal corresponding to the detected target file is used as a common terminal, and all the common terminals may form a common terminal set. In one embodiment, all terminals including the target file are taken as common terminals, and therefore, the common terminal set includes terminals corresponding to the behavior relation chain detection.
After determining the target file in the terminal, the server may perform file detection on the common terminal in the common terminal set in S603, and determine the common file in the common terminal, which has an association relationship with the target file. In an embodiment, the server may perform file detection on the common terminals in the common terminal set, and determine a common file in the common terminal, which has a direct behavioral relationship with the target file. The behavioral relationship can be generally divided into a direct behavioral relationship and an indirect behavioral relationship, wherein the direct behavioral relationship means that if one file directly operates a target file or is directly operated by the target file, the file and the target file have a direct behavioral relationship; the indirect behavioral relationship is that if one file operates the intermediate file and the intermediate file operates the target file, the file and the target file have the indirect behavioral relationship. As shown in fig. 5a, the suspicious file B performs an encryption operation on the suspicious file C, and the suspicious file C performs an encryption operation on the suspicious file D, so that for the suspicious file D, the suspicious file C has a direct behavior relationship with the suspicious file D, and the suspicious file B has an indirect behavior relationship with the suspicious file D.
In another embodiment, when the server performs file detection on the common terminal in the common terminal set and determines a common file in the common terminal, which has an association relationship with the target file, the server may perform file detection on the common terminal in the common terminal set first and determine an intermediate file in the common terminal, which has an association relationship with the target file; because there may be many intermediate files in the common terminal that have an association relationship with the target file, and the file behavior data of these intermediate files may be different, for example, a part of the intermediate files may have an encryption operation on the target file, a part of the intermediate files may have a modification operation on the target file, a part of the intermediate files may have a corruption operation on the target file, and so on. And because, although the intermediate files and the target file have an association relationship, the intermediate files are not meant to be suspicious files; further, since some intermediate files may exist only in one or two common terminals, these intermediate files are generally not considered suspicious files.
Therefore, after the intermediate file is obtained, the intermediate file needs to be clustered based on the file behavior data of the intermediate file to obtain a clustering result; determining a common file according to the clustering result, wherein the common file refers to a file which has a direct behavior relation with the target file in the intermediate file, the file behavior data of the common file should be matched with the file behavior data of the target file, and most common terminals in the common terminal set comprise the common file. In one embodiment, the clustering result includes one or more clustering categories, and the file identifiers of the intermediate files in each clustering category are the same and have the same file behavior data.
After determining the common file, the server may create a behavior relation chain about the target file according to the common file in S604, where a file node of the target file and a file node of the common file are recorded on the behavior relation chain. As known from S601, the target file may be a terminal file from which a parent file cannot be detected in the behavioral relationship chain detection process, or the target file may be a terminal file from which a child file cannot be detected in the behavioral relationship chain detection process. Therefore, in one embodiment, if the target file is a terminal file of which the parent file cannot be detected in the behavioral relationship chain detection process, the server may obtain the creation time of the target file and the creation time of the common file; and if the creation time of the common file is before the creation time of the target file, taking the file node of the common file as a parent file node of the target file to create a behavior relation chain of the target file. In another embodiment, if the target file is a terminal file in which the subfile cannot be detected in the behavioral relationship chain detection process, the server may obtain the creation time of the target file and the creation time of the common file; and if the creation time of the common file is later than the creation time of the target file, taking the file node of the common file as a child file node of the target file so as to create a behavior relation chain of the target file.
In one embodiment, after the server creates the behavioral relationship chain of the target file in S604, the server may further perform file protection processing on a file corresponding to a file node recorded on the behavioral relationship chain of the target file according to the created behavioral relationship chain of the target file; wherein the file protection process includes any one of: isolation processing, deletion processing, or hint processing. Specifically, the server may generate a file protection processing instruction according to a file corresponding to a file node recorded on the behavior relationship chain of the target file, where the file protection processing instruction may carry a file identifier of a file corresponding to the file node recorded on the behavior relationship chain. And then sending the file protection processing instruction to the terminal, so that after receiving the file protection processing instruction, the terminal finds a corresponding file in the terminal according to the file identifier carried by the file protection processing instruction, and performs isolation processing, deletion processing or prompt processing on the found corresponding file.
The embodiment of the invention can perform correlation calculation on the files in the common terminal according to the target file to find out the common file, and can create a complete behavior relation chain of the files such as virus trojans and the like to a certain extent based on the common file, thereby improving the protection capability of the files and ensuring that the protection of the files is more complete and accurate.
In another embodiment, an embodiment of the present invention provides a flowchart of another relationship chain creation method in fig. 7. The relationship chain creation method may be performed by a terminal, which may be a portable device such as a smart phone, a laptop or tablet computer, a desktop computer, and the like. In one embodiment, the relationship chain creation method may also be executed by application software in the terminal, where the application software may be system software configured in the terminal at the time of factory shipment and used for virus searching and killing, or antivirus software downloaded and installed in the terminal by the user.
The embodiment of the invention takes the terminal to execute the relationship chain creating method as an example. The user can send a virus killing/protection processing instruction in the user interface of the terminal, and the terminal can detect the file in the terminal after receiving the virus killing/protection processing instruction and judge whether the suspicious file exists. In an embodiment, when determining whether a file is suspicious, the terminal may adopt a feature code matching mode, a white list matching mode, a behavior data matching mode, and the like.
If the terminal detects that the suspicious file exists, the behavior relationship chain detection can be performed according to the suspicious file in the terminal in S701 to find out a complete behavior process related to the suspicious file. In S702, if the terminal detects a target file without an associated file, it sends a query request carrying an identifier of the target file to the server, so as to request the server to determine, according to the identifier of the target file, a common file having an association relationship with the target file. After receiving the query request, the server may determine a target file according to the target file identifier carried in the query request, and determine a batch of common terminals including the target file. The server can detect the files of the common terminals, determine common files in the common terminals, which have association relation with the target files, and send common file identifiers of the common files to the terminals.
The terminal may receive the common file identifier of the common file fed back by the server in S703, and create a behavior relation chain about the target file according to the common file identifier in S704. In one embodiment, the terminal may detect whether a file corresponding to the common file identifier exists in the terminal according to the common file identifier; and if so, creating a behavior relation chain about the target file according to the file corresponding to the common file identification. In one embodiment, the terminal may obtain the creation time of the common file and the creation time of the target file, and if the creation time of the common file is before the creation time of the target file, take the file node of the common file as a parent file node of the target file to create the behavior relation chain of the target file. In another embodiment, if the creation time of the common file is later than the creation time of the target file, the file node of the common file is used as a child file node of the target file to create the behavior relation chain of the target file.
In one embodiment, after the terminal creates the behavior relation chain of the target file, the terminal may perform file protection processing on a file corresponding to a file node recorded on the behavior relation chain of the target file according to the created behavior relation chain of the target file; wherein the file protection process includes any one of the following processes: isolation processing, deletion processing, or hint processing.
In one embodiment, before performing the file protection processing, the terminal may further output a prompt message to prompt the user whether to perform the file protection processing. And after receiving a determination instruction of a user, executing file protection processing operation according to the determination instruction. In an embodiment, the determining instruction may be an instruction for immediately performing file protection processing, an instruction for performing file protection processing when the terminal is idle, an instruction for performing file protection processing within a specific time, or the like.
In the embodiment of the invention, in the process of file detection, if a suspicious file is detected and a target file without an associated file is detected in the process of behavior relation chain detection according to the suspicious file, a query request can be sent to the server, and a behavior relation chain is created based on a common file fed back by the server. Because the common file is determined by the server through correlation calculation of the files in the common terminal according to the target file, the terminal can create a complete behavior relation chain of the virus trojans (suspicious files) to a certain extent based on the common file, so that the protection capability of the files is improved, and the protection of the files is more complete and accurate.
For example, after receiving a virus killing/protection instruction sent by a user, the terminal may detect a file in the terminal and detect a suspicious file d. The terminal may then perform behavior relation chain detection on the suspicious file d, and in the process of detecting the behavior relation chain, the terminal detects the target file c without an associated file (parent file), as shown in fig. 8 a. The target file c may be a virus source file, and the parent file of the target file c may be hidden by a virus trojan, so that the target file c is not successfully detected by the terminal. Therefore, in order to eradicate the virus Trojan, the terminal can send a query request carrying the target file identifier of the target file c to the server so as to request the server to search for the common file which has the association relation with the target file c.
After receiving the query request, the server may determine the common terminals having the target file c, perform file detection on the common terminals, and search for a common file having an association relationship with the target file in the common terminals. If the server does not find the common file, the server can regard the target file c as a virus source file, and send notification information to the terminal to notify the terminal that the target file c is the virus source file. After receiving the notification information, the terminal may consider the behavior relation chain in fig. 8a as a complete behavior relation chain, and perform file protection processing on the target file c and the suspicious file d.
If the server finds the common file b, the server can feed back the common file identifier of the common file b to the terminal. After receiving the common file identifier, the terminal may find the common file b in the terminal, and use the common file b as a parent file of the target file c to create an action relationship chain. According to the method, the terminal can continuously find the parent file of the common file b (namely the common file a). The terminal may repeat the above method until a virus source file is found, thereby determining a complete chain of behavioral relationships. In the embodiment of the present invention, after the common file a is determined, the server cannot detect the parent file of the common file a based on the file in the common terminal, and then the common file a may be considered as a virus source file, so as to obtain a complete behavior relation chain shown by a solid line in fig. 8b, and obtain a process of file operations such as virus trojan horse, and the like: the commonality file a downloads a target file c (virus trojan) from the commonality file b, which encrypts the suspect file d. Since a suspicious file may have multiple behavior relation chains, based on the above method, the terminal may also obtain the behavior relation chain as shown by the dotted line in fig. 8 b: the common file a runs a target file c (virus trojan) which encrypts a suspicious file d. The terminal can perform file protection processing on each file (such as files a, b, c and d) involved in the created behavior relation chain. By creating a complete behavior relation chain, important data support can be provided for the virus identification process, so that the searching and killing efficiency and the protection capability of antivirus software are improved.
It should be noted that fig. 8a and fig. 8b are only examples, and each file therein may be a folder, a document, or an executable program file, for example, the object file c is a program file, the suspicious file d is a folder, the common file b is a text file with a download website, and the common file a is an executable program file with a basic download function.
Based on the description of the above method embodiment, in an embodiment, an embodiment of the present invention further provides a schematic structural diagram of a relationship chain creation apparatus as shown in fig. 9. As shown in fig. 9, the relationship chain creation apparatus in the embodiment of the present invention may include:
a determining unit 101, configured to determine an object file in a terminal, where the object file refers to: and the terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file.
The determining unit 101 is further configured to determine a common terminal set according to the target file, where common terminals in the common terminal set all include the target file.
A detecting unit 102, configured to perform file detection on the common terminal in the common terminal set, and determine a common file in the common terminal, where the common file has an association relationship with the target file.
A creating unit 103, configured to create, according to the common file, a behavior relation chain about the target file, where a file node of the target file and a file node of the common file are recorded on the behavior relation chain.
In one embodiment, the detection unit 102 may be specifically configured to: performing file detection on the common terminals in the common terminal set to determine intermediate files in the common terminals, wherein the intermediate files have an association relationship with the target file; clustering the intermediate files based on the file behavior data of the intermediate files to obtain clustering results; and determining a common file according to the clustering result, wherein the common file refers to a file which has a direct behavior relation with the target file in the intermediate files.
In one embodiment, the clustering result includes one or more clustering categories, and the file identifiers of the intermediate files in each clustering category are the same and have the same file behavior data.
In one embodiment, the creating unit 103 may be specifically configured to: acquiring the creation time of the target file and the creation time of the common file; and if the creation time of the common file is before the creation time of the target file, taking the file node of the common file as a parent file node of the target file to create a behavior relation chain of the target file.
In one embodiment, the determining unit 101 may be specifically configured to: determining a suspicious file in a terminal, and taking the suspicious file as an initial file for behavior relation chain detection, wherein the suspicious file is a file which is detected in the terminal and has designated file behavior data and/or designated file identification; and performing behavior relation chain detection on the initial file to determine a target file.
In an embodiment, the relationship chain creating apparatus may further include a processing unit 104, configured to perform file protection processing on a file corresponding to a file node recorded on the behavior relationship chain of the target file according to the created behavior relationship chain of the target file; wherein the file protection process includes any one of: isolation processing, deletion processing, or hint processing.
The embodiment of the invention can perform correlation calculation on the files in the common terminal according to the target file to find out the common file, and can create a complete behavior relation chain of the files such as virus trojans and the like to a certain extent based on the common file, thereby improving the protection capability of the files and ensuring that the protection of the files is more complete and accurate.
Based on the description of the above method embodiment, in an embodiment, an embodiment of the present invention further provides a schematic structural diagram of a relationship chain creation apparatus as shown in fig. 10. As shown in fig. 10, the relationship chain creation apparatus in the embodiment of the present invention may include:
a detecting unit 201, configured to perform behavioral relationship chain detection according to a suspicious file in a terminal.
A sending unit 202, configured to send, to a server, an inquiry request carrying an identifier of a target file if the target file without an associated file is detected.
A receiving unit 203, configured to receive a common file identifier of a common file fed back by the server, where the common file is a file that has an association relationship with the target file in a common terminal determined by the server, the common terminal is determined by the server according to the target file, and the common terminal includes the target file.
A creating unit 204, configured to create a behavior relation chain about the target file according to the common file identifier.
In one embodiment, the creating unit 204 may be specifically configured to: detecting whether a file corresponding to the common file identifier exists in the terminal or not according to the common file identifier; and if so, creating a behavior relation chain about the target file according to the file corresponding to the common file identification.
In an embodiment, the relationship chain creating apparatus may further include a processing unit 205, configured to perform file protection processing on a file corresponding to a file node recorded on the behavior relationship chain of the target file according to the created behavior relationship chain of the target file; wherein the file protection process includes any one of: isolation processing, deletion processing, protection processing or killing processing.
In the embodiment of the invention, in the process of file detection, if a suspicious file is detected and a target file without an associated file is detected in the process of behavior relation chain detection according to the suspicious file, a query request can be sent to the server, and a behavior relation chain is created based on a common file fed back by the server. Because the common file is determined by the server through correlation calculation of the files in the common terminal according to the target file, the terminal can create a complete behavior relation chain of the virus trojans (suspicious files) to a certain extent based on the common file, so that the protection capability of the files is improved, and the protection of the files is more complete and accurate.
In an embodiment, an embodiment of the present invention further provides a schematic structural diagram of a server as shown in fig. 11. The server in the embodiment of the present invention shown in fig. 11 may include: a processor 301, a transceiver 302 and a memory 303, said processor 301, transceiver 302 and memory 303 being interconnected, wherein said memory 303 is adapted to store a computer program comprising program instructions, said processor 301 is adapted to execute the program instructions stored by memory 303.
In one embodiment, the processor 301 may be a Central Processing Unit (CPU), or other general-purpose processor, i.e., a microprocessor or any conventional processor. The memory 303 may include both read-only memory and random access memory, and provides instructions and data to the processor 301. Accordingly, the processor 301 and the memory 303 are not limited herein.
In the embodiment of the present invention, one or more instructions stored in the computer storage medium are loaded and executed by the processor 301 to implement the corresponding steps of the method in the corresponding embodiment; in a specific implementation, at least one instruction in the computer storage medium is loaded by the processor 301 and performs the following steps:
determining a target file in the terminal, wherein the target file is as follows: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file; determining a common terminal set according to the target file, wherein common terminals in the common terminal set all comprise the target file; performing file detection on the common terminals in the common terminal set to determine common files in the common terminals, wherein the common files have an association relationship with the target file; and creating a behavior relation chain about the target file according to the common file, wherein the behavior relation chain records the file node of the target file and the file node of the common file.
In an embodiment, when performing file detection on a common terminal in the common terminal set and determining a common file in the common terminal having an association relationship with the target file, the at least one instruction is loaded by the processor 301 and performs the following steps:
performing file detection on the common terminals in the common terminal set to determine intermediate files in the common terminals, wherein the intermediate files have an association relationship with the target file; clustering the intermediate files based on the file behavior data of the intermediate files to obtain clustering results; and determining a common file according to the clustering result, wherein the common file refers to a file which has a direct behavior relation with the target file in the intermediate files.
In one embodiment, the clustering result includes one or more clustering categories, and the file identifiers of the intermediate files in each clustering category are the same and have the same file behavior data.
In one embodiment, when creating a chain of behavioral relationships with respect to the target file based on the commonality file, the at least one instruction is loaded by the processor 301 and performs the steps of:
acquiring the creation time of the target file and the creation time of the common file; and if the creation time of the common file is before the creation time of the target file, taking the file node of the common file as a parent file node of the target file to create a behavior relation chain of the target file.
In one embodiment, when the target file in the terminal is determined, the at least one instruction is loaded by the processor 301 and performs the following steps:
determining a suspicious file in a terminal, and taking the suspicious file as an initial file for behavior relation chain detection, wherein the suspicious file is a file which is detected in the terminal and has designated file behavior data and/or designated file identification; and performing behavior relation chain detection on the initial file to determine a target file.
In one embodiment, the loading of the at least one instruction by processor 301 may further perform the steps of:
according to the created behavior relation chain of the target file, file protection processing is carried out on the file corresponding to the file node recorded on the behavior relation chain of the target file; wherein the file protection process includes any one of: isolation processing, deletion processing, or hint processing.
In an embodiment, an embodiment of the present invention further provides a schematic structural diagram of an intelligent terminal as shown in fig. 12. The intelligent terminal in the embodiment of the present invention shown in fig. 12 may include: one or more processors 401; one or more input devices 402, one or more output devices 403, and memory 404. The processor 401, the input device 402, the output device 403, and the memory 404 are connected by a bus 405. The memory 404 is used for storing a computer program comprising program instructions and the processor 401 is used for executing the program instructions stored by the memory 404.
In one embodiment, the processor 401 may be a Central Processing Unit (CPU), or other general-purpose processor, such as a microprocessor or any conventional processor. The memory 404 may include a read-only memory and a random access memory, and provides instructions and data to the processor 401. Therefore, the processor 401 and the memory 404 are not limited herein.
In the embodiment of the present invention, one or more instructions stored in a computer storage medium are loaded and executed by the processor 401 to implement the corresponding steps of the method in the corresponding embodiment; in a particular implementation, at least one instruction in the computer storage medium is loaded by the processor 401 and performs the following steps:
performing behavior relation chain detection according to suspicious files in the terminal; if a target file without an associated file is detected, sending a query request carrying the target file identifier to a server; receiving a common file identifier of a common file fed back by the server, wherein the common file is a file which is determined by the server and has an association relation with the target file in a common terminal, the common terminal is determined by the server according to the target file identifier, and the common terminal comprises the target file; and creating a behavior relation chain about the target file according to the common file identification.
In one embodiment, when creating a chain of behavioral relationships with respect to the target file based on the common file identifier, the at least one instruction is loaded by processor 401 and performs the steps of:
detecting whether a file corresponding to the common file identifier exists in the terminal or not according to the common file identifier; and if so, creating a behavior relation chain about the target file according to the file corresponding to the common file identification.
In one embodiment, the loading of the at least one instruction by processor 401 may further perform the steps of:
according to the created behavior relation chain of the target file, file protection processing is carried out on the file corresponding to the file node recorded on the behavior relation chain of the target file; wherein the file protection process includes any one of: isolation processing, deletion processing, or hint processing.
It should be noted that, for the specific working process of the terminal and the unit described above, reference may be made to the relevant description in the foregoing embodiments, and details are not described here again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
While the invention has been described with reference to a number of embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (15)

1. A method of relationship chain creation, comprising:
determining a target file in the terminal, wherein the target file is as follows: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file;
determining a common terminal set according to the target file, wherein common terminals in the common terminal set all comprise the target file;
performing file detection on the common terminals in the common terminal set to determine common files in the common terminals, wherein the common files have an association relationship with the target file; the common file and the target file have a direct behavior relationship, and the file behavior data of the common file is matched with the file behavior data of the target file; wherein the direct behavior relationship is: the behavioral relationship of directly operating the target file or the behavioral relationship of directly operating the target file;
and creating a behavior relation chain about the target file according to the common file, wherein the behavior relation chain records the file node of the target file and the file node of the common file.
2. The method according to claim 1, wherein the performing the file detection on the common terminal in the common terminal set to determine the common file in the common terminal having an association relationship with the target file comprises:
performing file detection on the common terminals in the common terminal set to determine intermediate files in the common terminals, wherein the intermediate files have an association relationship with the target file;
clustering the intermediate files based on the file behavior data of the intermediate files to obtain clustering results;
and determining a common file according to the clustering result, wherein the common file refers to a file which has a direct behavior relation with the target file in the intermediate files.
3. The method of claim 2, wherein the clustering result comprises one or more clustering categories, and the file identifications of the intermediate files in each clustering category are the same and have the same file behavior data.
4. The method of any of claims 1-3, wherein said creating a chain of behavioral relationships about the target document from the commonality document, comprises:
acquiring the creation time of the target file and the creation time of the common file;
and if the creation time of the common file is before the creation time of the target file, taking the file node of the common file as a parent file node of the target file to create a behavior relation chain about the target file.
5. A method according to any one of claims 1-3, wherein said determining the object file in the terminal comprises:
determining a suspicious file in a terminal, and taking the suspicious file as an initial file for behavior relation chain detection, wherein the suspicious file is a file which is detected in the terminal and has designated file behavior data and/or designated file identification;
and performing behavior relation chain detection on the initial file to determine a target file.
6. The method of claim 1, wherein the method further comprises:
according to the created behavior relation chain about the target file, file protection processing is carried out on the file corresponding to the file node recorded on the behavior relation chain about the target file;
wherein the file protection process includes any one of: isolation processing, deletion processing, or hint processing.
7. A method of relationship chain creation, comprising:
performing behavior relation chain detection according to suspicious files in the terminal;
if a target file without an associated file is detected, sending a query request carrying a target file identifier to a server;
receiving a common file identifier of a common file fed back by the server, wherein the common file is a file which is determined by the server and has an association relation with the target file in a common terminal, the common terminal is determined by the server according to the target file identifier, and the common terminal comprises the target file; the common file and the target file have a direct behavior relationship, and the file behavior data of the common file is matched with the file behavior data of the target file; wherein the direct behavior relationship is: the behavioral relationship of directly operating the target file or the behavioral relationship of directly operating the target file;
and creating a behavior relation chain about the target file according to the common file identification.
8. The method of claim 7, wherein said creating a chain of behavioral relationships about the target document based on the commonality document identification comprises:
detecting whether a file corresponding to the common file identifier exists in the terminal or not according to the common file identifier;
and if so, creating a behavior relation chain about the target file according to the file corresponding to the common file identification.
9. The method of claim 7 or 8, wherein the method further comprises:
according to the created behavior relation chain about the target file, file protection processing is carried out on the file corresponding to the file node recorded on the behavior relation chain about the target file;
wherein the file protection process includes any one of: isolation processing, deletion processing, protection processing or killing processing.
10. A relationship chain creation apparatus, comprising:
a determining unit, configured to determine an object file in a terminal, where the object file is: a terminal file of the associated file cannot be detected in the process of detecting the behavior relation chain of the target file;
the determining unit is further configured to determine a common terminal set according to the target file, where common terminals in the common terminal set all include the target file;
the detection unit is used for carrying out file detection on the common terminals in the common terminal set and determining common files in the common terminals, wherein the common files have association relation with the target files; the common file and the target file have a direct behavior relationship, and the file behavior data of the common file is matched with the file behavior data of the target file; wherein the direct behavior relationship is: the behavioral relationship of directly operating the target file or the behavioral relationship of directly operating the target file;
and the creating unit is used for creating a behavior relation chain related to the target file according to the common file, and the file node of the target file and the file node of the common file are recorded on the behavior relation chain.
11. A relationship chain creation apparatus, comprising:
the detection unit is used for detecting the behavior relation chain according to the suspicious file in the terminal;
the sending unit is used for sending a query request carrying a target file identifier to the server if a target file without an associated file is detected;
a receiving unit, configured to receive a common file identifier of a common file fed back by the server, where the common file is a file that has an association relationship with the target file in a common terminal determined by the server, the common terminal is determined by the server according to the target file, and the common terminal includes the target file; the common file and the target file have a direct behavior relationship, and the file behavior data of the common file is matched with the file behavior data of the target file; wherein the direct behavior relationship is: the behavioral relationship of directly operating the target file or the behavioral relationship of directly operating the target file;
and the creating unit is used for creating a behavior relation chain about the target file according to the common file identification.
12. A server, characterized in that it comprises a processor, a transceiver and a memory, said processor, transceiver and memory being interconnected, wherein said memory is used for storing a computer program comprising program instructions, said processor being configured for invoking said program instructions for performing the relationship chain creation method according to any of claims 1-6.
13. An intelligent terminal, characterized by comprising a processor, an input device, an output device and a memory, the processor, the input device, the output device and the memory being interconnected, wherein the memory is used for storing a computer program, the computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the relationship chain creation method according to any one of claims 7-9.
14. A computer storage medium storing first computer program instructions adapted to be loaded by a processor and to perform the relationship chain creation method according to any of claims 1-6.
15. A computer storage medium, characterized in that it stores second computer program instructions adapted to be loaded by a processor and to execute the relationship chain creation method according to any of claims 7-9.
CN201810543956.4A 2018-05-30 2018-05-30 Relationship chain creating method and device, server, terminal and storage medium Active CN108763936B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810543956.4A CN108763936B (en) 2018-05-30 2018-05-30 Relationship chain creating method and device, server, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810543956.4A CN108763936B (en) 2018-05-30 2018-05-30 Relationship chain creating method and device, server, terminal and storage medium

Publications (2)

Publication Number Publication Date
CN108763936A CN108763936A (en) 2018-11-06
CN108763936B true CN108763936B (en) 2022-02-22

Family

ID=64004710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810543956.4A Active CN108763936B (en) 2018-05-30 2018-05-30 Relationship chain creating method and device, server, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN108763936B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103971053A (en) * 2013-01-30 2014-08-06 腾讯科技(深圳)有限公司 Trojan file transmission relation determining method and related device
US9239907B1 (en) * 2010-07-06 2016-01-19 Symantec Corporation Techniques for identifying misleading applications
CN105468973A (en) * 2015-11-18 2016-04-06 中国地质大学(武汉) Information hiding method based on DEX file airspace in Android system
CN106130966A (en) * 2016-06-20 2016-11-16 北京奇虎科技有限公司 A kind of bug excavation detection method, server, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9239907B1 (en) * 2010-07-06 2016-01-19 Symantec Corporation Techniques for identifying misleading applications
CN103971053A (en) * 2013-01-30 2014-08-06 腾讯科技(深圳)有限公司 Trojan file transmission relation determining method and related device
CN105468973A (en) * 2015-11-18 2016-04-06 中国地质大学(武汉) Information hiding method based on DEX file airspace in Android system
CN106130966A (en) * 2016-06-20 2016-11-16 北京奇虎科技有限公司 A kind of bug excavation detection method, server, device and system

Also Published As

Publication number Publication date
CN108763936A (en) 2018-11-06

Similar Documents

Publication Publication Date Title
JP6644001B2 (en) Virus processing method, apparatus, system, device, and computer storage medium
US10972488B2 (en) Method and system for modeling all operations and executions of an attack and malicious process entry
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
US9703958B2 (en) Rollback feature
US8683216B2 (en) Identifying polymorphic malware
Bayer et al. Scalable, behavior-based malware clustering.
US8607335B1 (en) Internet file safety information center
CN103281325A (en) Method and device for processing file based on cloud security
JP5599892B2 (en) Malware detection and response to malware using link files
US8561180B1 (en) Systems and methods for aiding in the elimination of false-positive malware detections within enterprises
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
CN103473501B (en) A kind of Malware method for tracing based on cloud security
CN101246535A (en) Method, system and device for renovating abnormal document
US10127382B2 (en) Malware detection method
CN102945348A (en) Method and device for collecting file information
CN111563015B (en) Data monitoring method and device, computer readable medium and terminal equipment
CN102945349A (en) Method and device for processing unknown files
CN105095759A (en) File detection method and device
CN108898014B (en) Virus checking and killing method, server and electronic equipment
CN113360913A (en) Malicious program detection method and device, electronic equipment and storage medium
CN104217165A (en) Method and device for processing documents
US20230252136A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
US9256741B2 (en) Method and device for determining propagation relationship of Trojan horse files
CN109145589B (en) Application program acquisition method and device
CN102915359A (en) File management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant